Tampa General Hospital Says Incident Involved Thwarted Ransomware Encryption Attempt
A Florida hospital is notifying 1.2 million patients that their information was stolen by hackers in a cybersecurity incident that spanned for nearly three weeks in May as attackers tried to encrypt the entity’s systems with ransomware.
The hospital repelled the attack, but unfortunately couldn’t stop the breach.
Tampa General Hospital, a not-for-profit private hospital that has 1,040 beds, 8,000 employees and serves a dozen counties with a population of more than 4 million people, in a notice posted on its website Wednesday, said it detected “unusual activity” on its computer systems on May 31.
Through the use of monitoring tools and assistance from a third-party forensics firm, TGH said it prevented the attacker from encrypting its systems and data, which would have otherwise “significantly interrupted the hospital’s ability to provide care for patient.”
Still, the investigation into the incident found that an unauthorized third-party accessed TGH’s network and obtained certain files from hospital systems between May 12 and May 30, the hospital said.
Information contained in the compromised files varied by individual, but includes patients’ names, addresses, phone numbers, dates of birth, Social Security numbers, health insurance information, medical record numbers, patient account numbers, dates of service, and certain treatment information used by TGH for its business operations.
The hospital’s electronic medical records system was not compromised in the incident.
A TGH spokeswoman declined Information Security Media Group’s request for additional details, including the variant of malware and cybercriminal group connected to the incident. She told ISMG that some media reports of the incident involving leaks to the dark web by a group, Snatch Team, which claimed to have 4 terabytes of TGH data, were “not accurate.”
In the wake of the incident, TGH said it is “continuously updating and hardening systems to help prevent events such as this from occurring and has implemented additional defensive tools and increased monitoring.”
The hospital said will offer complimentary credit and identity monitoring to individuals whose Social Security numbers were compromised in the incident.
As of Friday, the TGH incident had not yet been posted on the Department of Health and Human Services’ Office for Civil Rights’ HIPAA Breach Reporting Tool, which lists health data breaches affecting 500 or more individuals.
Nine of the 10 largest HIPAA breaches posted so far this year to the HHS OCR’s website were reported as hacking/IT incidents, including several ransomware and exfiltration incidents (see: Mid-Year Health Data Breach Analysis: Top Culprits).
Of those, the largest ransomware-related breaches so far in 2023 were reported by institutional pharmacy PharMerica, affecting nearly 6 million people, and by California medical group Regal Medical Group, affecting about 3.3 million people.
Ransomware breaches, including incidents involving encryption or data exfiltration – or both, continue to menace HIPAA-covered entities and their business associates, said Susan Rhodes, HHS OCR acting deputy director of strategic planning and regional manager told attendees at the ISMG healthcare security summit on Tuesday .
In 2022, of the 559 major hacking/IT incidents reported to HHS OCR, at least 136 involved ransomware, Rhodes said.
Officials from the Department of Homeland Security say they also see similar persistent trends afflicting the healthcare and public health sector.
Nitin Natarajan, deputy director of DHS’ Cybersecurity Infrastructure and Security Agency, warned ISMG summit attendees this week that malicious actors are continuing to expand their healthcare sector targets. That means more ransomware, DDoS and other cyberattacks on small clinics and doctor practices, rural hospitals, and other segments of the sector, including pharmaceutical makers and similar entities.